How ING Avoids Customization Nightmares

ING CIO says the bank's new operations model is helping centralize more IT work, while still letting leaders react to local market needs around the globe. The ultimate goal: Make IT faster.

Most anywhere in the world, people with bank accounts will want to transfer money from savings to checking. So shouldn't a global bank have one software system that supports that kind of transfer, rather than have a different one in each of more than 25 countries in which it operates?

The simple answer is yes, but the complicated question is: how? Balancing the cost savings of scale against the need for customization to meet local market and regulatory conditions is one of the thorniest problems of global IT. ING's solution to that problem is the subject of an in-depth paper by ING executives Saul van Beurden, CIO of retail banking direct and international, and Ron van Kemenade, CIO of retail banking Benelux, along with consultants from the Boston Consulting Group. (Download the full paper, "Between Anarchy and Dictatorship," here.) I spoke with van Beurden, who's also head of enterprise architecture and IT strategy for ING, about the global IT operating model the financial services company created to deal with such issues.

ING has moved into new markets in an entrepreneurial way: It hired strong leaders and gave them a mission, budget, and some good people to build the business. But that approach has a downside. "By doing that you get all different types of banks in terms of an IT footprint," van Beurden says. So for ING to come out of the recent banking crisis stronger than it had been going in, the company needed to create a new IT operating model.

That operating model puts every IT choice into one of four modes:

1. Shared, in which every IT element is run from the central organization.

2. Coordinated, where each country can take its own software approach, but each country must deliver the same result. For example, the system might have to deliver the data for a particular metric the bank uses to assess and manage global risk.

3. Isolated, meaning each country can use its own distinct IT approach.

4. Replicated, which means the core software infrastructure is run from a single country (often the Netherlands HQ), but the local operation has a library of configuration options that it can change to create different products and names or react to different regulations. So the Netherlands and Poland can have different savings account rates to reward long-time customers, but the back-end software system and process for transferring money into an account are identical.

It's that replicated model that’s so important because it "takes away the 'Sophie's choice,'" van Beurden says. "In the past, we ran with two models. It was all isolated, or it was completely shared."

Still, the hard part in any model like this one is saying no when a country CIO makes the case for customizing software to a local rule or market.

"The first thing was always 'We can't do this because my country does not allow it,'" van Beurden says. Anticipating that resistance, ING conducted deep research into the laws and regulations in every country in which it operated. The analysis found only four countries that prevented the bank from keeping data in an ING data center outside of the operating country. Van Beurden would only mention Turkey, saying it's well known for its strict regulations. The other three "my banking friends from the competitors will have to find out for themselves," he says.

Before a country's IT team is allowed to customize software, the local CIO must personally make the case before a technology standards board of eight to nine top executives from business units and IT. "If there are no exceptions, we have a short meeting," van Beurden says.

To implement the shared and replicated systems, ING plans to use private cloud data centers, run by a third-party provider that functions as a "financial sector utility," providing services to ING and several other banks. ING still has a number of management and regulatory issues to work out before that transition happens, and van Beurden declined to say which other banks it's negotiating with as fellow tenants. ING doesn’t think it should be building its own data centers but instead using dedicated infrastructure inside such a facility, he says.

Now that the operating model is in place, van Beurden sums up the biggest challenge as "endurance."

"This is not an easy catch, not something you do overnight," he says. "… It will be two or three years before you see standardization on such a scale that the footprint for the bank is really becoming lightweight instead of heavyweight, and the cost is going down and the speed is going up." And it'll be five to eight years before the entire operating model is completely deployed and successful.

Notice the tension in ING's goals--centralize and lower costs for run-the-bank IT, but also make IT faster and more adaptable at the same time. For any company trying to come out of the recession stronger, those are the right goals.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.